MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cebb5bb7177a20961e79e4609e2789adec6b38a9d91269794f9fcbed6fea73af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuakBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cebb5bb7177a20961e79e4609e2789adec6b38a9d91269794f9fcbed6fea73af
SHA3-384 hash: 6f58e73ff41282e9c65637adfe90871184f47d647bbdec07b2fc61e49075993645dbc516f2889b3b0a9fd73634838f9f
SHA1 hash: 5b158645ba1c578e11d92841f88ddb79959dff77
MD5 hash: a752068ba2195b8b2aa0afef012a9017
humanhash: fanta-low-sodium-pip
File name:SecuriteInfo.com.BScope.Trojan.Cobalt.27766
Download: download sample
Signature QuakBot
Create hunting rule
File size:1'094'120 bytes
First seen:2020-11-11 20:45:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5c263c6125faae2c597950f7826711 (27 x Quakbot)
ssdeep 12288:gqflDDoYeF20NNHCW8k45hox9l7pUHIX6EQ2Xbhy:g00E0NNHCWZmO7aHONbk
Threatray 1'092 similar samples on MalwareBazaar
TLSH 5735011BE1E35BCBE483417C69E290BA9532EF8DDB1BD46B2A18F1D871B23C5851E604
Reporter SecuriteInfoCom
Tags:Quakbot

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.Trojan.Cobalt.27766.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/530663
Signature
Binary contains a suspicious time stamp
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: QBot Process Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cebb5bb7177a20961e79e4609e2789adec6b38a9d91269794f9fcbed6fea73af/
Threat name:
Win32.Trojan.PinkSbot
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 19:57:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z25vxnyxpiqjmhtz4rqj4j4jvxwgwofj3ejgs6kpt7f6237kooxq._file
Verdict:
malicious
Similar samples:
0398844ca099a73ba98b3196ab5c4f2fead6d92ca752e0f47741099fdb12ebd7
QuakBot
16e8dd4d681393a757e3420dfd00187ce7bca1aaf0f792c33bc6bc68693b936a
QuakBot
5dee81f839ef4b7e681bfe9dc08efd092c286c5c69fd3bff279ca4deea225b9d
QuakBot
6ca8c7e8acaec97b05aa175a11e2e474621706a320eca4b1b0096d6a150c162c
QuakBot
8109257615124835d77bf857ba60bc516ae9319daf92444028663653358ca3ba
QuakBot
929094608e71b060fdc03550dbe909393e4ed37377c1809139b1fac476277a82
QuakBot
a496166b093b8b09a59f952e7a9a2196aa7754dd3485b4412ec0334cd59714a3
QuakBot
a52e06bd2bb36e4f17e67250a98bb51927af5e0c335b09fcfb0cf8ad7f9d16be
QuakBot
afb04ccb08e70f8364ab5550702d3700ec8a4e288f784d9d3a0c2d87731f9241
QuakBot
c9983c3e092189ca9b39f6b2d470f49a8098cb98ef605f7b4057be975664f2d3
QuakBot
+ 1'082 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot banker stealer trojan
Link:
https://tria.ge/reports/201111-qftjqblvf2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Qakbot/Qbot
Unpacked files
SH256 hash:
cebb5bb7177a20961e79e4609e2789adec6b38a9d91269794f9fcbed6fea73af
MD5 hash:
a752068ba2195b8b2aa0afef012a9017
SHA1 hash:
5b158645ba1c578e11d92841f88ddb79959dff77
Link:
https://www.unpac.me/results/c0bbd8c2-8e8d-44b3-affe-1ea48c9c92a8/
SH256 hash:
22a5f7747bbe1b7e35ed9271470d0622872340be9d63ab809bf438d7e976153a
MD5 hash:
1d862a50217a4163bcf0f77f1ade0cb3
SHA1 hash:
b460f0cf9396434570f82d505ccaf3179e226df5
Detections:
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0bbd8c2-8e8d-44b3-affe-1ea48c9c92a8/
Parent samples :
b62204e7ac2de6eb620fc2849593ab3bf50132836a5b648d572fd728c2404e72
eb9915d87fd32bf37ff5e764a80b6fb4957598433774ae9fed10f82d932dba0c
cebb5bb7177a20961e79e4609e2789adec6b38a9d91269794f9fcbed6fea73af
5c6f9bba14dfb1e7b6a8dd697ae6ba69181d5af7cccf6dd40b89516d5ea483c3
54143d46ffc8e27ed096659781ace6b86d64e60c6824a59104816f6b2eab0905
9003653bd1f19432eb423ccf719c2de2189663b4240704d9eef95144945b348f
SH256 hash:
4fa3f7a2f53e920a0abde69388a387539e1e507ab3d7917482609b853224c4ac
MD5 hash:
0cb98e2e9c547b99ccdd5e9dc1ccf47c
SHA1 hash:
e12009bcccfa411e2ad92575379aa08aa7d3218b
Detections:
win_qakbot_g0
Create hunting rule
win_qakbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0bbd8c2-8e8d-44b3-affe-1ea48c9c92a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cebb5bb7177a20961e79e4609e2789adec6b38a9d91269794f9fcbed6fea73af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments